The Cisco Application Centric Infrastructure (ACI) is an architecture that allows the application to define the networking requirements in a programmatic way. This architecture simplifies, optimizes, and accelerates the entire application deployment life cycle.
The Cisco Application Policy Infrastructure Controller (APIC) enables applications to directly connect with a secure, shared, high-performance resource pool that includes networking and Layer 4 through 7 services.
The key features of the APIC include the following:
Application centric network policies
Data model-based declarative provisioning
Application, topology monitoring, and troubleshooting
Third-party integration (Layer 4 through 7 services, vCenter, vShield)
Image management (spine and leaf)
Cisco ACI inventory and configuration
Implementation on a distributed framework across a cluster of appliances
Health Scores for key Managed Objects (tenants, application profiles, switches, etc)
Fault, event and performance management
Cisco Application Virtual Switch (AVS) that can be used as a virtual leaf for the Cisco APIC
ACI Fabric and Switches
A clustered replicated APIC appliance manages the ACI fabric. Cisco Nexus 9000 Series switches can run with the ACI-compatible software to run in the leaf/spine fabric mode. These switches form a “fat-tree” network by connecting each leaf node to each spine node; all other devices connect to the leaf nodes.
Figure 1 shows the ACI Fabric with Cisco Nexus 9508, Cisco Nexus 9300 Series leaf switches, and the APIC.
Figure 1 ACI Fabric with Spine and Leaf Switches, and the APIC,
This file includes the Python packages that model the Cisco ACI Management Information Tree.
Both files are required.
Note Installation of the SDK with SSL support on Unix/Linux and Mac OS X requires a compiler. For a Windows installation, you can install the compiled shared objects for the SDK dependencies using wheel packages.
Note The model package depends on the SDK package; be sure to install the SDK package first.
When upgrading from a 1.0(1x1x) release to a 1.0(2x) release, you must upgrade the switch software image for all the spine and leaf switches in the fabric first. After that upgrade is successfully completed, upgrade the APIC controller software image.
However, if you are upgrading within a 1.0(1x) release software sequence or within a 1.0(2x) release software sequence, you must first upgrade the APIC controller software image. And then, after that is successfully completed, upgrade all the switches in the fabric.
Cisco UCS Manager software Release 2.2(1c) or later is required for the Cisco UCS Fabric Interconnect and other components, including the BIOS, CIMC, and the adapter
This section lists usage guidelines for the APIC software.
The APIC GUI supports the following browsers:
– Chrome version 35 (at minimum) on Mac and Windows
– Firefox version 26 (at minimum) on Mac, Linux, and Windows
– Internet Explorer version 11(at minimum)
– Safari 7.0.3 (at minimum)
Note Restart your browser after upgrading to 1.0(2j).
A known issue exists with the Safari browser and unsigned certificates. Read the information presented here before accepting an unsigned certificate for use with WebSockets.
When you access the HTTPS site, the following message appears:
“Safari can’t verify the identity of the website APIC. The certificate for this website is invalid. You might be connecting to a website that is pretending to be an APIC, which could put your confidential information at risk. Would you like to connect to the website anyway?”
To ensure that WebSockets can connect, you must do the following:
Always Trust in the three drop-down lists that appear.
If you do not follow these steps above, WebSockets will not be able to connect.
The APIC GUI includes an online version of the Quick Start guide that includes video demonstrations.
The infrastructure IP address range must not overlap with other IP addresses used in the fabric for inband and out-of-band networks.
The APIC does not provide an IPAM solution, so ensure that IP addresses are unique within a private network/ context.
Press the Escape key twice (<Esc> <Esc>) to display APIC CLI command options.
In some of the 5-minute statistics data, the count of ten-second samples is 29 instead of 30.
For the following services, use a DNS-based host name with out-of-band management connectivity. IP addresses can be used with both inband and out-of-band management connectivity.
– Syslog server
– Call Home SMTP server
– Tech support export server
– Configuration export server
– Statistics export server
Inband management connectivity to the spine switches is possible from any host that is connected to the leaf switches of the Fabric, and leaf switches can be managed from any host that has IP connectivity to the fabric.
The current list of protocols that are allowed (and cannot be blocked through contracts) include the following. Some of the protocols have SrcPort/DstPort distinction.
– UDP DestPort 161: SNMP. These cannot be blocked through contracts. Creating an SNMP ClientGroup with a list of Client-IP Addresses restricts SNMP access to only those configured Client-IP Addresses. If no Client-IP address is configured, SNMP packets are allowed from anywhere.
– TCP SrcPort 179: BGP
– TCP DstPort 179: BGP
– UDP DstPort 67: BOOTP/DHCP
– UDP DstPort 68: BOOTP/DHCP
– UDP SrcPort 53: DNS replies
– TCP SrcPort 25: SMTP replies
– TCP DstPort 443: HTTPS
– UDP SrcPort 123: NTP
– UDP DstPort 123: NTP
Note The APIC 1.0(1n) release is the earliest version supported for downgrading from a 1.0(2x) release. When downgrading from 1.0(2x) to 1.0(1n), first downgrade the switch software image for all the spine and leaf switches in the fabric. After that downgrade is successfully completed, downgrade the APIC controller software image.
When configuring an AC (atomic counter) policy between two endpoints, and an IP is learned on one of the two endpoints, it is recommended to use an IP-based policy, and not a client endpoint based policy.
New and Changed Information
This section lists the new and changed features in Release 1.0(2j), and includes the following topics:
New Hardware Features in Cisco Application Policy Infrastructure Controller Release 1.0(2j)
The Cisco Application Policy Infrastructure Controller Release 1.0(2j) supports the following new hardware features:
N9K-M6PQ - ACI Uplink Module for Nexus 9300 with six 40-Gigabit port QSFP support.
N9K-C9504 - Cisco Nexus 9504 chassis with 4 slots
N9K-SUP-B - Cisco Nexus 9500 Series supervisor module
N9K-C9504-FM - Fabric module
N9K-C9396TX - Cisco Nexus 9300 48-port, 1/10 Gbps Base-T and 6-port or 12-port, 40 Gigabit Ethernet QSFP switch
New Software Features in Cisco Application Policy Infrastructure Controller Release 1.0(2j)
The Cisco Application Policy Infrastructure Controller Release 1.0(2j) supports the following new software features:
Traffic Storm Control – Enables you to create policies that prevent disruptions on Layer 2 ports by broadcast, multicast, or unicast traffic storms For more information, see KB: Configuring Traffic Storm Control with Cisco APIC. The link to KB articles is available in the “Related Documentation” section.
Static management IP addresses – Enables you to configure static inband connectivity. For more information, see KB: Configuring Static Management Access with Cisco APIC. The link to KB articles is available in the “Related Documentation” section.
Increased contract scale – The maximum contract limit for fabric is now 1,000 contracts and 10,000 filters. The maximum limit for leaf switches is 4K TCAM entries (specific to N9K-M12PQ) and 16K TCAM entries (specific to N9K-M6PQ).
Enhancement on config import – Enables the backups of APIC policies to be imported into the APIC, which allows the system to be restored to a previous configuration. You can do an atomic replace, which enables you to roll back to a previous config state.
For an endpoint group (EPG) mapped to a bridge domain (BD) in legacy mode, if the encap specified at the static path attachment of a port to an EPG is different from the encap mentioned at the BD level, no fault is raised in the current release.
When the clock between nodes gets re-synched, atomic counters to and from the node shows incorrect drops or incorrect excess packet counts for the first couple of minutes. The suspect flag in the counters is also not set. The condition gets fixed after couple of seconds.
If a vShield controller is configured and operational in a version earlier than 1.0(2j), a policy based upgrade to 1.0(2j), or subsequent release, will fail in a vShield configuration. Also, a vShield configuration exported from an APIC version earlier than 1.0(2j) cannot be imported back in the APIC running software version 1.0(2j) or later.
This section lists caveats that describe known behaviors in the Cisco ACI, Release 1.0(2j). Click a Bug ID shown in Table 4 to access the Bug Search Tool and see additional information about the bug.
This document is to be used in conjunction with the documents listed in the
“Known Behaviors” section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.